States are still scrambling to figure out how to regulate fantasy sports websites like DraftKings and FanDuel. And while much of the attention has been focused on whether fantasy sports should be classified as gambling and whether these websites are being upfront about the risks, some consumers are more worried about data security. Documents obtained by Gizmodo raise questions about whether personal and financial data sent to these companies is being handled properly.

Fantasy sports went from amateur betting pools to big business in a relatively short amount of time. And there’s a lot of money at stake for plenty of powerful interests. The NFL, Major League Baseball, and the NBA are all investors in both FanDuel and DraftKings, the two largest daily fantasy sports operators in the country. But consumers say that DraftKings and FanDuel have been playing fast and loose with cybersecurity.

The biggest alleged sins? Some consumers say that both DraftKings and FanDuel have asked them to send photos of driver’s licenses and credit cards (images of both front and back) over email. Other consumers have alleged that employees at these sites have asked for sensitive information like social security numbers over email and unencrypted web forms. When these consumers ask what kind of protections are in place for their data they’ve allegedly gotten no response.

The two fantasy sports companies have faced pressure from state regulators who insist that they’re running sports betting sites. New York recently banned daily fantasy sports, but last week, the governor signed a bill to legalize it. And there have been plenty of rumors about a merger, which would no doubt help DraftKings and FanDuel consolidate power and better fend off attacks from regulators in the 11 states where they’re currently banned.

But so far the focus has largely been on whether fantasy sports is a game of chance or a game of skill. One series of complaints that has flown under the radar is whether FanDuel and DraftKings have both used questionable online security practices to verify customer identity information and financial data. These allegations show up repeatedly in documents provided to Gizmodo under a Freedom of Information request to the Federal Trade Commission (FTC)

Advertisement

Below I’ve included a sample of the complaints that I received from my FOIA request to the FTC. It should be noted that the allegations in the complaints filed with the FTC include a number of different topics unrelated to data security, some of which you’ll see pop up below. The FTC redacted the consumer complaints received to Gizmodo for privacy reasons, meaning that we could not contact the people making the allegations directly.

FanDuel declined to speak on the record for this story, but sources inside the company denied that they currently receive ID or credit card information through channels like email. Other sources at FanDuel could not confirm how recently protections were put in place to protect data submitted by consumers.

A DraftKings spokesperson sent me this statement: “DraftKings takes information security very seriously and employs best-in-class technology and procedures to ensure that customer information is protected.”

Advertisement

The emphasis below is mine to highlight when the complaint revolves around questionable data security practices, as alleged by some of the consumer complaints. Spelling, formatting, and grammatical errors have been retained because I had to read through dozens of these semi-literate complaints so now you’re going to have to as well.

November 2013, DraftKings:

DraftKings is a weekly sports gambling site. It is a type of fantasy league you play for money. My room mate and I started an account. This is the second week we have played. We bet four teams earlier this week from money my roommate [redacted] put in our DK account. We wanted to play some more so I added $25 from my own Paypal account. Draftkings froze our account because we used two diff Paypal accounts to fund our plays. I cannot find that this is a terms of service violation. They asked me to send pictures of the front and back of my driver’s license and issue an explanation for why we funded from two different PayPal accounts. I did as they asked and they still refuse to refund our money or free up our account. I expect one or the other immediately.

Advertisement

December 2014, DraftKings:

DraftKings is an online fantasy sports gaming website. Consumers buy entry into games each week where they select a team of players and, based on those players performances consumers may potentially win money. Because of a misunderstanding of the rules of the website, Draft Kings suspended my account. But, before they would reinstate my account they said they need me to send a copy of my the front and back of my credit card as well as the front and back of my driver’s license. I did not comply with their request because of the obvious security threat to my personal information. Additionally, I know that PCI Security Standards Council highly recommends against sending or storing a hard copy of customer credit card information. Because I would not supply the requested information to Draft Kings, they closed my account and I was forced to lose all of my winnings. Thank you.

January 2015, DraftKings:

Latest problem is that I deposited money into an account. They then froze my account. When I asked them why they did this they asked me for pictures of both sides of all my credit cards, pictures of both sides of my drivers licence and utility bills. I told them no I did not find this reasonable, I did give them a copy of the front of my drivers license and a copy of a utility bill but said I would give no such further information. They have continued to pursue pictures of my credit cards until I told them that I would contact the FTC regarding what they are requesting me to do. After telling them I would file a complaint they banned me from there website. I have multiple emails from ( Nick B) regarding this information and his constant request for images of my credit cards when I continually stated I would not give him these. Prior to this problem I had a prior problem with the company to which I had contacted them about. The prior problem was that they were providing false information on there website that would intentionally cause any body reading this information (including me) to lose there contests which they make you pay to play. I asked for a refund at this time which they would not issue to me as they told me that it is my responsibility to confirm that the information they publish on their website is correct. I cannot confirm the following statement “but I have had a gut feeling that they may be fraudulently rigging there contents because of a players (myself and others) being unable to see ether’s line ups which has made me thought its possible they are entering contests and directly affecting the outcomes.

Advertisement

October 2015, DraftKings:

My co-worker and I decided to share the account with Draftkings, I had initially deposited money into the account and when it ran out my co-worker deposited $50. The next day my account was put on restriction pending sending verification information that included a photo of both credit cards, front and back, along with our drivers licenses, front and back. That sensitive information was sent on September 28th to a Paul from Draftkings, after a day or two I sent in an inquiry and in return I received an email from Dan stating they did not receive my information and that I need to send in the exact same information I had previously sent again. I did not resend it but instead I requested a confirmation of receipt for this sensitive information that I had previously sent. There possession of our credit card and drivers license information is worrisome since I have not received confirmation. I have to constantly check my bank statement to ensure no fraudulent charges have been made since

October 2015, DraftKings:

On Sunday my girlfriend gifted me $25 to deposit on Draftkings. The site does not restrict the use of a third party credit card to deposit money. I was notified shortly after the contest started that my account was restricted due to the use of a third party’s credit card.I was requested to send front and back of my DL, my girlfriend’s DL and the card used in the transaction along with an explanation of its use. I provided the information as requested. They responded automatically with a link to a site with a ticket number. The link did not work, though the my matter was erroneously marked ‘solved’ when it was not even addressed. After over 10 requests for someone to call me or answer my emails, I was curiously requested to change my account information and provide a photo of the front and back of every card I have used on the site since I opened the account. At this point I had spent over 4 hours trying to solve the issue with no sign of competency forthcoming. Consequently I advised I was filing this complaint. Either they are the single most inept company or they are trying to delay any withdrawal of funds due to the recent controversy of using inside information

Advertisement

November 2015, FanDuel:

I joined FanDuel on line and started playing Games. I went to set up my paypal account in case I won something. I was then required to be verified. FanDuel requested several articles such as a photo and copy of my drivers licence. I sent these things and other articles. Each time I sent something they rejected it. There is nothing else I can do and after being allowed to play, after they took my money, now they refuse to verify me and won`t allow me to play or get my money. —- Additional Comments: If they refuse to verify me and refuse to allow me to play I want a total refund of they money they allowed me to deposit in my account and allowed me to spend without any way to collect.

November 2015, DraftKings:

I haven’t found anything that says they are a scam but I will say they have horrible customer service.I used draftkings for three months never having a problem with them.Then one night it was to late to go to the bank so I gave my dad $25 and he used his credit card in which draft kings took and deposited my money (they had no problem taking it)About a hour later they froze my account.then every time I responded to them they’d send me a automated response that had nothing to do with my problem. Finally the next day,cause you can only email them,they have no phone customer service which is ridicules. They then asked me to send a picture of me and my wifes(since I used her card with no problems)and my fathers picture ids. Which we all live in the same residence. (that right there should have been enough). Plus they wanted to email them pictures of our credit cards front and back. Anyone with any sense could see why we wouldn’t do it.(keep in mind that me or anyone else whos card I used reported no problems whats so ever).When we refused after 4 days of receiving a response over 5-6 hours at time. They acted like it was no big deal just to send them our ids and pics of our cards. Keep in mind that everytime you enter a card you have to enter the name and addresse on the card which worked without a hitch.I think its employees causing fake problems so that they can get pictures of you ids your address and your card numbers plus the security codes on the back since they wanted pics of front and back. they are crooks they are slow to responded they demand unreasonable expectations.My father has used Fanduel for the same amount of time and never had any problems with them I recommend going there.Plus I went to Louisiana one time with my cell phone and draftkings restricted my cell phone and never fixed that problem either once,again sending me automated responses that solved nothing

Advertisement

January 2016, DraftKings:

On August 24th, 2015 my friends and I enlisted DraftKings to facilitate our Fantasy Football League. After we deposited money for our league (to be dispersed to the winners in late Dec / early January), DraftKings had legal issues regarding their business practices. They updated/changed their Terms and Conditions to require those individuals withdrawing earnings to fill out sufficient tax forms. Even those individuals who were not participating in their daily, weekly, monthly gambling series. I am fully compliant to filling out necessary tax forms, complying with Federal Law, and have no issues with said forms... except for the manner in which DraftKings mandates we supply. They ask for users to either fax their information (including social security number) or supply via an online form. I have questioned DraftKings about whey THEY need my social security number, what internet security protocols they use, what data center security practices they use, or any information on the security requirements they are mandated to uphold by law with such sensitive information. They do not offer customer support via telephone which is highly suspect, and can’t supply me with any alternative means to filling out said federal forms, in addition to denying my request regarding their security practices followed. I do not feel comfortable supplying their website (or some random fax number) with my social security number and date of birth, but am more than happy to supply this information to the government, IRS, or any other watchful, security regulated eye. DraftKings refuses any other means. How is this legal? How can they change their terms AFTER they have our money? How can they not legally be forced to provide security protocols to ensure customer data is being treated sensitively? Please help. This organization should not be allowed to do this.

January 2016, DraftKings:

I have done business with draft kings for a few years....received an email from them demaning my SSN for tax purpses and they gave me 24 hours to comply by typing into their website using a link that readily des not appear. At first I thught it was phishing, but they told me its a real request...problem is I have no relationship with them that is on the scale where they have any need for tax froms (I did not make 600 in 2015).....I am questining the legality of what they are doing as they have no legal basis fr asking for this. I told them if I EVER made 600, I would gladly give it to them on a signed form, but that need does not exit. I still wonder if its a phishing scam. I guard my SSN well.

Advertisement

April 2016, FanDuel:

On yesterday 4/10/2016 I deposited $50 dollars into fanduel and gambled on NBA Basketball games as soon as I deposited the money into the basketball games my account was suspended and deactivated. I couldn’t take the money out the account or make changes to the people I wanted to gamble on. I contacted customer service regarding the issue and when they contacted me back the basketball games already started so I lost the money. They told me that they have reason to believe I’m someone else even though I have been gambling with them for 3 years. They told me I need to take a picture of my unexpired I.D and a credit card with my name on it to get my account reinstated, but the money I lost will not be refunded to me. Nowhere in the contract does it say I will have to take a picture of an unexpired I,D and a credit card. This is false practice

April 2016, FanDuel:

I deposited money with Fan Duel prior to my state’s AG determining that it was online gambling and banning Illinois citizens from playing. I asked for my remaining balance to be sent back to me. They informed me that I would have to give them my social security number. When I declined, they attempted to re-assure me by sending me their privacy policy (see below). Their privacy policy is arguably the weakest I have ever seen. Typically, a company seeking personal information will state the steps that they are taking to keep that information safe, and, for the most part, provide additional information regarding the steps that they will take in the event of a breach. Fan Duel on the other hand is telling customers, ‘send us your personal information, and if we are breached, its on you.’ How can a company require personal information and at the same time say that they are not responsible for any bad that comes from giving it to them? From Fan Duel’s Privacy Policy: Data Security, FanDuel uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to FanDuel and you do so at your own risk.

Advertisement

It should be noted that FanDuel’s security information currently reads as follows:

Whilst neither we, nor any other organization, can guarantee the security of information processed online, we do have appropriate security measures in place to protect your personal information. For example, we store the personal information you provide on computer systems with limited access that are located in facilities to which access is limited.